{"id":7249,"date":"2024-11-01T08:56:14","date_gmt":"2024-11-01T08:56:14","guid":{"rendered":"https:\/\/www.hosted.com\/articles\/?p=7249"},"modified":"2026-02-12T10:36:12","modified_gmt":"2026-02-12T10:36:12","slug":"disable-xmlrpc-php-in-wordpress","status":"publish","type":"post","link":"https:\/\/www.hosted.com\/articles\/disable-xmlrpc-php-in-wordpress\/","title":{"rendered":"xmlrpc.php In WordPress: What It Is And Why Disable It"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-1-1024x399.png\" alt=\"Header Text - What is WordPress xmlrpc.php &amp; Why Disable it?\" title=\"Hosted\u00ae Tutorial - xmlrpc.php in WordPress: What it is &amp; Why Disable it\" class=\"wp-image-7255\" width=\"1024\" height=\"399\" srcset=\"https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-1-1024x399.png 1024w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-1-300x117.png 300w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-1-768x300.png 768w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-1-960x374.png 960w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-1-603x235.png 603w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-1.png 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In <a href=\"https:\/\/www.hosted.com\/hosting\/wordpress\" alt=\"Link to Hosted.com Website - WordPress Hosting\" title=\"Hosted.com - WordPress Hosting\" target=\"_blank\" rel=\"noopener\">WordPress<\/a>, xmlrpc.php is a file that allows your website to communicate with external applications, such as mobile apps or remote publishing tools. It acts as a bridge that enables you to access and control your site from outside the WordPress dashboard. While this functionality can be useful, it&#8217;s important to understand how XML-RPC works, as it has been linked to <a href=\"https:\/\/www.hosted.com\/blog\/risks-and-realities-of-unsecure-websites\/\" alt=\"Link to Hosted.com Blogs - Risks And Realities Of Unsecure Websites\" title=\"Hosted.com - Risks And Realities Of Unsecure Websites\" target=\"_blank\" rel=\"noopener\">several security risks<\/a>.<\/p>\n\n\n\n<p>One of the major concerns with XML-RPC is its vulnerability to brute force attacks and <a href=\"https:\/\/www.hosted.com\/articles\/wordpress-ddos-protection\/\" alt=\"Link to Hosted.com Articles - WordPress DDOS Protection - Shield Your Website From Online Threats\" title=\"Hosted.com - WordPress DDOS Protection - Shield Your Website From Online Threats\" target=\"_blank\" rel=\"noopener\">Distributed Denial of Service (DDoS)<\/a> attempts. Hackers often target this file to exploit weak points in your website&#8217;s security, potentially gaining unauthorized access or overloading your server. Due to these risks, many WordPress users disable xmlrpc.php to enhance their site&#8217;s safety.<\/p>\n\n\n\n<p>Here, we explain what xmlrpc.php is, why it was created, and how it was used then and now. Next, we\u2019ll go through the reasons for disabling XML-RPC in WordPress. After that, we\u2019ll explore 2 ways to check if XML-RPC is enabled on your website. Lastly, we\u2019ll go through the step-by-step process to disable XML-RPC manually and via a plugin. <\/p>\n\n\n\n<h3 class=\"wp-block-heading h4\" id=\"key-takeaways\">KEY TAKEAWAYS<\/h3>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>The xmlrpc.php file allows WordPress to communicate with other apps and services, like mobile apps or remote publishing tools.<\/li>\n\n\n\n<li>It was created to help users manage their WordPress sites remotely, especially when internet connections were slow.<\/li>\n\n\n\n<li>Over time, xmlrpc.php has become less useful as newer technologies like the REST API have replaced it. However, the XML-RPC exploit has become a major security concern, as hackers can misuse this file to launch brute force attacks or DDoS attacks, damaging your website.<\/li>\n\n\n\n<li>Disabling xmlrpc.php can help protect your site from these attacks, improving security and performance.<\/li>\n\n\n\n<li>Disable XML-RPC easily using a plugin or manually editing your site&#8217;s .htaccess file.<\/li>\n\n\n\n<li>For most users, disabling xmlrpc.php won\u2019t affect daily site operations unless you rely on certain remote publishing features or specific plugins.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h3 class=\"h4\">TABLE OF CONTENTS<\/h3><nav><ul><li class=\"\"><a href=\"#key-takeaways\">KEY TAKEAWAYS<\/a><\/li><li class=\"\"><a href=\"#what-is-xml-rpc\">What is XML-RPC?<\/a><\/li><li class=\"\"><a href=\"#why-was-xml-rpc-created-how-was-it-used\">Why was XML-RPC Created &amp; How was it Used?<\/a><\/li><li class=\"\"><a href=\"#xml-rpc-nowadays\">XML-RPC Nowadays<\/a><\/li><li class=\"\"><a href=\"#why-disable-xml-rpc\">Why Disable XML-RPC?<\/a><ul><li class=\"\"><a href=\"#brute-force-attacks\">Brute Force Attacks<\/a><\/li><li class=\"\"><a href=\"#d-do-s-attacks\">DDoS Attacks<\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#check-if-xml-rpc-is-enabled\">Check if XML-RPC is Enabled<\/a><ul><li class=\"\"><a href=\"#check-via-browser\">Check via Browser<\/a><\/li><li class=\"\"><a href=\"#check-via-online-tools\">Check via Online Tools<\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#how-to-disable-xml-rpc\">How to Disable XML-RPC<\/a><\/li><li class=\"\"><a href=\"#use-plugin-to-disable-xmlrpc-php\">Use Plugin to Disable xmlrpc.php<\/a><\/li><li class=\"\"><a href=\"#manually-disable-xml-rpc-via-htaccess-file\">Manually Disable XML-RPC via .htaccess File<\/a><\/li><li class=\"\"><a href=\"#fa-qs\">FAQS<\/a><\/li><li class=\"\"><a href=\"#other-related-tutorials-blogs\">Other Related Tutorials &amp; Blogs:<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading h3\" id=\"what-is-xml-rpc\">What is XML-RPC?<\/h2>\n\n\n\n<p>XML-RPC is a feature used by WordPress to transmit data between your site and external systems. It relies on <a href=\"https:\/\/www.hosted.com\/blog\/difference-between-http-and-https\/\" alt=\"Link to Hosted.com Blogs - Understanding The Key Difference Between HTTP And HTTPS\" title=\"Hosted.com - Understanding The Key Difference Between HTTP And HTTPS\" target=\"_blank\" rel=\"noopener\">HTTP<\/a> as the transport mechanism and XML as the encoding format to facilitate communication. The file is essentially a bridge that allows WordPress, which isn&#8217;t a self-contained system, to interact with other applications and devices.<\/p>\n\n\n\n<p>When WordPress first introduced xmlrpc.php, its primary purpose was to allow users to access and manage their websites remotely. For instance, if you need to post content and are away from your PC or computer, you can use your mobile device to publish posts through the XML-RPC feature. This made remote management convenient and accessible for many users.<\/p>\n\n\n\n<p>In addition to providing remote access, the XML-RPC file also provides some core features; for example, it helps enable trackbacks and pingbacks, features letting other websites notify you when they link to your content. Additionally, some tools and plugins, like <a href=\"https:\/\/jetpack.com\/\" alt=\"Link to JetPack - Website\" title=\"JetPack - Website\" target=\"_blank\" rel=\"noopener\">Jetpack<\/a>, rely on xmlrpc.php to work properly, allowing you to use extra features for your site.<\/p>\n\n\n\n<h2 class=\"wp-block-heading h3\" id=\"why-was-xml-rpc-created-how-was-it-used\">Why was XML-RPC Created &amp; How was it Used?<\/h2>\n\n\n\n<p>XML-RPC has been around since before WordPress was even called WordPress. In the internet\u2019s early days, publishing content online wasn\u2019t as easy as it is today.<\/p>\n\n\n\n<p>The internet was slow, and writing directly on a web page could be time-consuming. Instead, most people wrote their content offline and then copied and pasted it onto the web. However, this process was far from perfect.<\/p>\n\n\n\n<p>To solve this problem, offline blogging clients were created. These clients allowed users to write content offline and then connect to their blogs to publish it once they were ready. WordPress XMLRPC was the tool that made this connection possible, making it easier for people to get their content online, even with the internet being slow at that time.<\/p>\n\n\n\n<p>In this way, with a connection between offline blogging clients and <a href=\"https:\/\/www.hosted.com\/knowledgebase\/wordpress\/what-is-wordpress-cms\/\" alt=\"Link to Hosted.com KBs - What Is WordPress\" title=\"Hosted.com - What Is WordPress\" target=\"_blank\" rel=\"noopener\">WordPress<\/a>, users could compose their content offline. When they were ready to post, xmlrpc.php would connect their blogging client to their WordPress site, allowing them to publish their content quickly and easily.<\/p>\n\n\n\n<p>This was especially helpful for people who were often on the go or didn\u2019t have reliable internet access. Instead of waiting for a stable connection to write online, users could write offline and publish when convenient, thanks to XML-RPC.<\/p>\n\n\n\n<p>As WordPress grew, XML-RPC became an important feature for users who needed to access their sites from different devices. It allowed bloggers to log in to WordPress from their mobile phones or other computers. This made it possible to manage a WordPress site without being tied to a specific device, which was a game changer.<\/p>\n\n\n\n<p>WordPress developers created the basic framework for XML-RPC to handle these remote connections. It was a way for WordPress to communicate with outside tools, making it more flexible and user-friendly for bloggers everywhere.<\/p>\n\n\n\n<p>Furthermore, when XML-RPC was first introduced, it was turned off by default in WordPress. Users had to enable it manually to use remote access features. This changed in WordPress 2.6 when an option was added to the dashboard to enable or disable XML-RPC easily. Users could choose whether to allow remote access to their site or not.<\/p>\n\n\n\n<p>By the time WordPress 3.5 was released, XML-RPC was enabled by default. This change happened with the launch of the WordPress mobile app, which relied heavily on XML-RPC to allow users to manage their sites from their phones. With this update, WordPress removed the option to disable XML-RPC from the dashboard, making remote site management easier for everyone.<\/p>\n\n\n\n<h2 class=\"wp-block-heading h3\" id=\"xml-rpc-nowadays\">XML-RPC Nowadays<\/h2>\n\n\n\n<p>So, XML-RPC was very useful in its early years, but today, it is considered an outdated technology in WordPress. With the introduction of the REST API, most developers and site owners prefer using this newer, more secure, and flexible API for connecting WordPress with external applications.<\/p>\n\n\n\n<p>The REST API offers better website security, performance, and ease of use, which has led to a decline in the use of XML-RPC. However, some legacy tools, plugins, and applications still rely on XML-RPC for remote access, so it remains active by default on many <a href=\"https:\/\/www.hosted.com\/articles\/installing-wordpress-guide\/\" alt=\"Link to Hosted.com Articles - Installing WordPress - Step-by-Step Guide\" title=\"Hosted.com - Installing WordPress - Step-by-Step Guide\" target=\"_blank\" rel=\"noopener\">WordPress installations<\/a>.<\/p>\n\n\n\n<p>Despite its decreasing use, XML-RPC poses security risks, especially if not properly protected. Cybercriminals often target xmlrpc.php in brute force attacks to guess login credentials or <a href=\"https:\/\/www.hosted.com\/articles\/load-balancing-for-wordpress\/\" alt=\"Link to Hosted.com Articles - Load Balancing for WordPress Hosting Performance\" title=\"Hosted.com - Load Balancing for WordPress Hosting Performance\" target=\"_blank\" rel=\"noopener\">overload the web server<\/a> with excessive requests.<\/p>\n\n\n\n<p>Because of these risks, many site owners choose to disable XML-RPC if they are not using remote publishing tools or other features that depend on it. This reduces WordPress xmlrpc attacks and helps <a href=\"https:\/\/www.hosted.com\/knowledgebase\/wordpress\/secure-a-wordpress-site\/\" alt=\"Link to Hosted.com KBs - How To Secure A WordPress Site\" title=\"Hosted.com - How To Secure A WordPress Site\" target=\"_blank\" rel=\"noopener\">keep the site more secure<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading h3\" id=\"why-disable-xml-rpc\">Why Disable XML-RPC?<\/h2>\n\n\n\n<p>One of the major concerns with xmlrpc.php is the <a href=\"https:\/\/www.hosted.com\/articles\/common-wordpress-security-issues\/\" alt=\"Link to Hosted.com Articles - Safeguarding Your Website - Common WordPress Security Issues\" title=\"Hosted.com - Safeguarding Your Website - Common WordPress Security Issues\" target=\"_blank\" rel=\"noopener\">security risks it introduces to your WordPress site<\/a>. The XML-RPC file itself isn&#8217;t the problem; it\u2019s how hackers can exploit it that creates vulnerabilities. Attackers have found ways to misuse xmlrpc.php to target websites with brute force and DDoS attacks, making it a weak spot if unprotected.<\/p>\n\n\n\n<p>Remember that <a href=\"https:\/\/www.hosted.com\/articles\/password-protect-a-wordpress-site\/\" alt=\"Link to Hosted.com Articles - How to Password Protect A WordPress Site - The Ultimate Guide\" title=\"Hosted.com - How to Password Protect A WordPress Site - The Ultimate Guide\" target=\"_blank\" rel=\"noopener\">using strong passwords<\/a> and installing <a href=\"https:\/\/www.hosted.com\/articles\/wordpress-security-plugins-2\/\" alt=\"Link to Hosted.com Articles - WordPress Security Plugins - Enhancing WordPress Site Safety\" title=\"Hosted.com - WordPress Security Plugins - Enhancing WordPress Site Safety\" target=\"_blank\" rel=\"noopener\">security plugins<\/a> are good steps to protect your WordPress site, but with XML-RPC, the best way to secure your site is to disable it entirely. Since it is a common target for hackers, turning off xmlrpc.php reduces the risk of exploitation, keeping your site safer from common attacks.<\/p>\n\n\n\n<p>Here are 2 primary reasons to make you think about disabling the xmlrpc.php file:<\/p>\n\n\n\n<h3 class=\"wp-block-heading h4\" id=\"brute-force-attacks\">Brute Force Attacks<\/h3>\n\n\n\n<p>The first involves brute force attacks, where hackers attempt to access your site by trying various combinations of usernames and passwords. What makes XML-RPC particularly dangerous is that attackers can use a single command to test hundreds of password variations at once. This tactic can evade security plugins that normally block brute force attempts, giving hackers more chances to break into your site.<\/p>\n\n\n\n<h3 class=\"wp-block-heading h4\" id=\"d-do-s-attacks\">DDoS Attacks<\/h3>\n\n\n\n<p>The second vulnerability is through Distributed Denial of Service (DDoS) attacks. Hackers can exploit the pingback feature in WordPress to send a flood of requests to thousands of websites simultaneously.<\/p>\n\n\n\n<p>By using xmlrpc.php, attackers can distribute these attacks over numerous IP addresses, making them difficult to trace and stop, which can ultimately take down your WordPress website by overwhelming the server.<\/p>\n\n\n\n<p>Aside from DDoS and brute force attacks, xmlrpc.php is linked to additional security risks, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cross-Site Scripting (XSS):<\/strong> Malicious scripts can be injected through poorly sanitized XML-RPC requests.<\/li>\n\n\n\n<li><strong>SQL Injection:<\/strong> When XML-RPC data is not handled properly attackers may manipulate database queries.<\/li>\n\n\n\n<li><strong>Remote Code Execution:<\/strong> Vulnerabilities in xmlrpc.php can allow hackers to run unwanted code on your server, compromising its security.<\/li>\n<\/ul>\n\n\n\n<p>These risks make it crucial to manage or disable XML-RPC if not in use. However, there are times when you may need to keep XML-RPC enabled. If you use remote publishing tools to manage your WordPress site from a mobile device or a third-party app, xmlrpc.php is necessary.<\/p>\n\n\n\n<p>Moreover, some plugins or services also rely on this file for certain features. In these cases, you\u2019ll want to keep xmlrpc.php enabled but ensure it is properly secured.<\/p>\n\n\n\n<h2 class=\"wp-block-heading h3\" id=\"check-if-xml-rpc-is-enabled\">Check if XML-RPC is Enabled<\/h2>\n\n\n\n<p>Before you dive into the steps to disable WordPress XMLRPC, it\u2019s important to check if it\u2019s enabled or not. There are a few simple ways to check if XML-RPC is enabled on your WordPress site. Here are two methods you can use:<\/p>\n\n\n\n<h3 class=\"wp-block-heading h4\" id=\"check-via-browser\">Check via Browser<\/h3>\n\n\n\n<p>Open your favorite web browser and type <em>yourwebsite.com\/xmlrpc.php<\/em> in the address bar, replacing <em>yourwebsite.com<\/em> with your domain name. Then, press <strong>Enter<\/strong>.<\/p>\n\n\n\n<p>If XML-RPC is enabled, you will see a message saying, \u201cXML-RPC server accepts POST requests only\u201d.<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-01.png\" alt=\"How To Disable xmlrpc.php in WordPress - WordPress XMLRPC Is Enabled\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - WordPress XMLRPC Is Enabled\" width=\"633\" height=\"36\" \/><\/figure>\n<\/div>\n\n\n<p>In contrast, if XML-RPC is disabled, you will see an error message like <a href=\"https:\/\/www.hosted.com\/articles\/403-forbidden-error\/\" alt=\"Link to Hosted.com Tutorials - 403 Forbidden Error Explained - Easy Fixes for Your Website\" title=\"Hosted.com - 403 Forbidden Error Explained - Easy Fixes for Your Website\" target=\"_blank\" rel=\"noopener\">403 Forbidden<\/a> or \u201c404 Not Found\u201d, which means it is blocked or unavailable.<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-02.png\" alt=\"How To Disable xmlrpc.php in WordPress - XMLRPC Is Disabled\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - XMLRPC Is Disabled\" width=\"641\" height=\"293\" \/><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading h4\" id=\"check-via-online-tools\">Check via Online Tools<\/h3>\n\n\n\n<p>Some free online tools help you test if XML-RPC is enabled. For this tutorial, we use XML-RPC Validator. Here\u2019s how to use it:<\/p>\n\n\n\n<p>Go to the <a href=\"https:\/\/xmlrpc.blog\/\" alt=\"Link to WordPress XML-RPC - Validation Service\" title=\"WordPress XML-RPC - Validation Service\" target=\"_blank\" rel=\"noopener\">official website of XML-RPC Validator<\/a>. Enter your website&#8217;s URL in the <strong>Address <\/strong>box and click <strong>Check <\/strong>to see if the WordPress XMLRPC is enabled.<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-03.png\" alt=\"How To Disable xmlrpc.php in WordPress - XML-RPC Validation\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - XML-RPC Validation\" width=\"713\" height=\"156\" \/><\/figure>\n<\/div>\n\n\n<p>If it\u2019s enabled, the tool will confirm that it is working and show a success message as follows:<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-04.png\" alt=\"How To Disable xmlrpc.php in WordPress - XML-RPC Is Enabled\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - XML-RPC Is Enabled\" width=\"728\" height=\"151\" \/><\/figure>\n<\/div>\n\n\n<p>However, if that\u2019s disabled, it will show an error as follows:<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-05.png\" alt=\"How To Disable xmlrpc.php in WordPress - 403 Error Indicating WordPress XMLRPC Is Disabled\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - 403 Error Indicating WordPress XMLRPC Is Disabled\" width=\"741\" height=\"131\" \/><\/figure>\n<\/div>\n\n\n<p>Using either of these methods will quickly let you know whether XML-RPC is enabled or disabled on your WordPress site. If it\u2019s enabled, you can use any of the following methods to disable it.<\/p>\n\n\n\n<div style=\"margin-top: 20px; margin-bottom: 20px;\">\n<div class=\"bg-primary-xxlight rounded-md mt-3 mb-3 p-3 text-center border border-primary-xlight border-2x\">\n<p class=\"font09 m-0\">Learn about xmlrpc.php in WordPress, its functions, and the reasons you might consider disabling it for better security.<br>Unlock the benefits of <a alt=\"Link to Hosted.com Website - WordPress Hosting\" title=\"Hosted.com - WordPress Hosting\" href=\"https:\/\/www.hosted.com\/hosting\/wordpress\" target=\"_blank\" rel=\"noopener\">Hosted\u00ae\u2019s WordPress Hosting<\/a>, optimized for security and maximized website performance.<\/p>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading h3\" id=\"how-to-disable-xml-rpc\">How to Disable XML-RPC<\/h2>\n\n\n\n<p>If you want to protect your WordPress site from the security risks posed by xmlrpc.php, one of the easiest methods to disable it is with a plugin. Do this to quickly turn off XML-RPC without manually modifying any code.<\/p>\n\n\n\n<p>This is the safest option for most users, especially if you\u2019re uncomfortable editing your site\u2019s core files. Let\u2019s start with the step-by-step instructions for disabling XML-RPC using a plugin.<\/p>\n\n\n\n<h3 class=\"wp-block-heading h4\" id=\"use-plugin-to-disable-xmlrpc-php\">Use Plugin to Disable xmlrpc.php<\/h3>\n\n\n\n<p>Go to <strong>WordPress Admin Dashboard<\/strong> \u2192 <strong>Plugins <\/strong>\u2192 <strong>Add New Plugin<\/strong>. In the search box, type \u201cDisable XML-RPC-API\u201d. Once you\u2019ve found the plugin, click <strong>Install Now<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-06.png\" alt=\"How To Disable xmlrpc.php in WordPress - Install WordPress Plugin\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - Install WordPress Plugin\" width=\"817\" height=\"321\" \/><\/figure>\n<\/div>\n\n\n<p>After the installation is complete, the button will change to <strong>Activate<\/strong>. Click <strong>Activate<\/strong> to enable this plugin on your site.<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-07.png\" alt=\"How To Disable xmlrpc.php in WordPress - Activate Plugin\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - Activate Plugin\" width=\"485\" height=\"305\" \/><\/figure>\n<\/div>\n\n\n<p>You\u2019ll now see a new option: <strong>XML-RPC Security<\/strong> in your WordPress Dashboard. The great thing about this plugin is that no additional setup is required. Once activated, xmlrpc.php is disabled automatically.<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-08.png\" alt=\"How To Disable xmlrpc.php in WordPress - Disable XML-RPC\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - Disable XML-RPC\" width=\"816\" height=\"279\" \/><\/figure>\n<\/div>\n\n\n<p>After activating the plugin, verify that XML-RPC is not accessible anymore. To do that, type <em>yourwebsite.com\/xmlrpc.php<\/em> into your browser (ensure you replace <em>yourwebsite.com <\/em>with your actual domain name). If XML-RPC is disabled, you will see a 403 Forbidden or 404 Not Found error message, meaning the file is no longer accessible.<\/p>\n\n\n\n<p><strong>Important: <\/strong>Some plugins, like Disable XML-RPC-API, may not require configuration. However, if you use a broader security plugin, you may need to navigate to the plugin\u2019s settings page and manually disable WordPress XMLRPC. If you ever need to re-enable XML-RPC, deactivate or uninstall the plugin.<\/p>\n\n\n\n<h3 class=\"wp-block-heading h4\" id=\"manually-disable-xml-rpc-via-htaccess-file\">Manually Disable XML-RPC via .htaccess File<\/h3>\n\n\n\n<p>If you prefer not to use a plugin, you can manually disable XML-RPC by editing your <strong>.htaccess<\/strong> file. The <strong>.htaccess<\/strong> file controls how your server handles requests.<\/p>\n\n\n\n<p>If you add a few lines of code, you can block the entrance to XML-RPC. This gives you more control and is a simple way to block access to xmlrpc.php on your WordPress site. Here\u2019s how to do that:<\/p>\n\n\n\n<p>First, connect to your WordPress website using an FTP client (such as <a href=\"https:\/\/www.hosted.com\/knowledgebase\/hosting\/configure-a-site-in-filezilla\/\" alt=\"Link to Hosted.com KBs - How To Configure A Site In FileZilla\" title=\"Hosted.com - How To Configure A Site In FileZilla\" target=\"_blank\" rel=\"noopener\">FileZilla<\/a> or <a href=\"https:\/\/www.hosted.com\/knowledgebase\/hosting\/configure-a-site-in-winscp\/\" alt=\"Link to Hosted.com KBs - How To Configure A Site In WinSCP\" title=\"Hosted.com - How To Configure A Site In WinSCP\" target=\"_blank\" rel=\"noopener\">WinSCP<\/a>) or your hosting provider\u2019s <strong>File Manager. <\/strong>For this tutorial, we continue with the <strong>File Manager<\/strong> you access as a Hosted user by navigating to <strong>cPanel <\/strong>\u2192 <strong>Tools <\/strong>\u2192 <strong>Files <\/strong>\u2192 <strong>File Manager<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-09.png\" alt=\"How To Disable xmlrpc.php in WordPress - Access File Manager\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - Access File Manager\" width=\"806\" height=\"282\" \/><\/figure>\n<\/div>\n\n\n<p>Once inside <strong>File Manager<\/strong>, locate the <strong>.htaccess<\/strong> in the root directory of the WordPress installation; it is <strong>public_html<\/strong>. It might be a different directory like <strong>www; <\/strong>thisdepends on your hosting environment.<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-10.png\" alt=\"How To Disable xmlrpc.php in WordPress - Locate .htaccess File\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - Locate .htaccess File\" width=\"631\" height=\"313\" \/><\/figure>\n<\/div>\n\n\n<p>Select the <strong>.htaccess<\/strong> file and click <strong>Edit <\/strong>at the top to open this in the Hosted control panel\u2019s built-in editor.<\/p>\n\n\n<div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/images\/kb\/tutorials\/Tut-OS-049-11.png\" alt=\"How To Disable xmlrpc.php in WordPress - Edit .htaccess File\" title=\"xmlrpc.php in WordPress: What it is &amp; Why Disable it - Edit .htaccess File\" width=\"632\" height=\"284\" \/><\/figure>\n<\/div>\n\n\n<p>Once the <strong>.htaccess<\/strong> file is opened, add the following code snippet at the bottom of the file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Block WordPress XMLRPC requests\n&lt;Files xmlrpc.php&gt;\norder deny,allow\ndeny from all\nallow from xxx.xxx.xxx.xxx\n&lt;\/Files&gt;<\/code><\/pre>\n\n\n\n<p>Replace <em>xxx.xxx.xxx.xxx<\/em> with the IP address you want to grant access to xmlrpc.php or remove this line entirely if no IP addresses should have access.<\/p>\n\n\n\n<p>To grant access to more than one IP address for xmlrpc.php, add a line with the <em>allow from xxx.xxx.xxx.xxx<\/em> below the previous <strong>allow <\/strong>rule. The code will appear as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Block WordPress XMLRPC requests\n&lt;Files xmlrpc.php&gt;\norder deny,allow\ndeny from all\nallow from xxx.xxx.xxx.xxx\nallow from xxx.xxx.xxx.xxx\n&lt;\/Files&gt;<\/code><\/pre>\n\n\n\n<p>Lastly, save the file after adding the code. However, if you downloaded a <strong>.htaccess<\/strong> file to make changes locally, you should upload it back to your server to overwrite the existing file.<\/p>\n\n\n\n<p><strong>Important: <\/strong>We recommend you create a backup of your <strong>.htaccess <\/strong>file before making any changes. Otherwise, you may experience unexpected results.<\/p>\n\n\n\n<p>Once again, visit your <em>website.com\/xmlrpc.php<\/em>. If the file is disabled, you\u2019ll see an error message confirming the code has successfully blocked XML-RPC.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.hosted.com\/hosting\/wordpress\" alt=\"Link to Hosted\u00ae - WordPress Hosting\" title=\"Hosted\u00ae - WordPress Hosting\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-2-1024x229.png\" alt=\"Strip Banner Text - Hosted\u00ae offers secure WordPress Hosting solutions. [Learn more]\" title=\"Hosted\u00ae WordPress Hosting Fast \u2013 Secure - Stable\" class=\"wp-image-7254\" width=\"1024\" height=\"229\" srcset=\"https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-2-1024x229.png 1024w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-2-300x67.png 300w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-2-768x172.png 768w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-2-960x214.png 960w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-2-1052x235.png 1052w, https:\/\/www.hosted.com\/articles\/wp-content\/uploads\/2024\/11\/xmlrpc-php-2.png 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading h4\" id=\"fa-qs\">FAQs<\/h3>\n\n\n<div id=\"rank-math-faq\" class=\"rank-math-block\">\n<div class=\"rank-math-list \">\n<div id=\"faq-question-1730445782195\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">What is xmlrpc.php in WordPress?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>XML-RPC is a file in WordPress that helps your website communicate with external applications and services. It allows you to manage your site remotely, like publishing a blog post from a mobile app or connecting to tools like Jetpack.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730445791663\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">Why should I disable XML-RPC?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>Hackers can target XML-RPC for attacks like brute force or DDoS attacks which make your site vulnerable. However, disabling it helps improve your site\u2019s security and prevents these threats.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730445797206\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">Will disabling XML-RPC affect my site?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>If you don\u2019t use remote tools, like the WordPress mobile app or Jetpack, disabling xmlrpc.php won\u2019t affect your site. However, if you use those services, they may stop working after disabling it.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730445798167\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">Will disabling XML-RPC affect my site?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>If you don\u2019t use remote tools, like the WordPress mobile app or Jetpack, disabling xmlrpc.php won\u2019t affect your site. However, if you use those services, they may stop working after disabling i<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730445799244\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">How can I disable XML-RPC in WordPress?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>You can disable xmlrpc.php easily using a plugin like Disable XML-RPC-API or editing your .htaccess file to block access manually.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730446671224\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">What happens if XML-RPC is enabled?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>When xmlrpc.php is enabled, it allows remote access to your WordPress site. While this can be useful, it also creates a security risk if hackers try to exploit it for attacks.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730446678631\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">What is a DDoS attack using XML-RPC?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>A DDoS attack happens when hackers use xmlrpc.php to send numerous requests to your site, overloading your server and causing it to crash or slow down.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730446679401\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">Do I need XML-RPC for Jetpack?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>Yes, Jetpack relies on xmlrpc.php to work properly. If you use Jetpack\u2019s features, like site stats or content sharing, you should keep WordPRess XMLRPC enabled.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730446680735\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">How can I check if XML-RPC is enabled?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>You can check if XML-RPC is enabled by visiting <em>yourwebsite.com\/xmlrpc.php<\/em>. If enabled, you\u2019ll see a message like \u201cXML-RPC server accepts POST requests only.\u201d Otherwise, you\u2019ll get an error message.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730446681769\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">What is a brute force attack through XML-RPC?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>A brute force attack happens when hackers try to guess your username and password by sending many combinations through xmlrpc.php. This file allows them to test hundreds of passwords in just one command, making it easier to break in.<\/p>\n\n<\/div>\n<\/div>\n<div id=\"faq-question-1730446716666\" class=\"rank-math-list-item\">\n<h6 class=\"rank-math-question \">Can I re-enable XML-RPC after disabling it?<\/h6>\n<div class=\"rank-math-answer \">\n\n<p>Yes, you can easily re-enable xmlrpc.php by deactivating the plugin you used to disable it or removing the code you added to your .htaccess file.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n<h3 class=\"wp-block-heading h4\" id=\"other-related-tutorials-blogs\">Other Related Tutorials &amp; Blogs:<\/h3>\n\n\n\n<p>&#8211; <a href=\"https:\/\/www.hosted.com\/articles\/monitoring-wordpress-security-breaches\/\" target=\"_blank\" rel=\"noopener\" alt=\"Link to Hosted.com Articles - 10 Essential Tips for Monitoring WordPress Security Breaches\" title=\"Hosted.com - 10 Essential Tips for Monitoring WordPress Security Breaches\">10 Essential Tips for Monitoring WordPress Security Breaches<\/a><\/p>\n\n\n\n<p>&#8211; <a href=\"https:\/\/www.hosted.com\/articles\/wordpress-website-maintenance-cost\/\" target=\"_blank\" rel=\"noopener\" alt=\"Link to Hosted.com Articles - A Comprehensive Guide to WordPress Website Maintenance Cost\" title=\"Hosted.com - A Comprehensive Guide to WordPress Website Maintenance Cost\">A Comprehensive Guide to WordPress Website Maintenance Cost<\/a><\/p>\n\n\n\n<p>&#8211; <a href=\"https:\/\/www.hosted.com\/articles\/automated-wordpress-security-scan\/\" target=\"_blank\" rel=\"noopener\" alt=\"Link to Hosted.com Articles - 5 Reasons Why You Need Automated WordPress Security Scans\" title=\"Hosted.com - 5 Reasons Why You Need Automated WordPress Security Scans\">Automated WordPress Security Scans \u2013 5 Reasons Why You Need Them<\/a><\/p>\n\n\n\n<p>&#8211; <a href=\"https:\/\/www.hosted.com\/articles\/502-bad-gateway\/\" target=\"_blank\" rel=\"noopener\" alt=\"Link to Hosted.com Tutorials - How to Fix 502 Bad Gateway Error in WordPress\" title=\"Hosted.com - How to Fix 502 Bad Gateway Error in WordPress\">How to Fix 502 Bad Gateway Error in WordPress<\/a><\/p>\n\n\n\n<p>&#8211; <a href=\"https:\/\/www.hosted.com\/articles\/wordpress-500-internal-server-error\/\" target=\"_blank\" rel=\"noopener\" alt=\"Link to Hosted.com Tutorials - How to Fix the WordPress 500 Internal Server Error\" title=\"Hosted.com - How to Fix the WordPress 500 Internal Server Error\">How to Fix the WordPress 500 Internal Server Error<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> In WordPress, xmlrpc.php is a file that allows your website to communicate with external applications, such as mobile apps or remote publishing tools. It acts as a bridge that enables you to access and control your site from outside the WordPress dashboard. While this functionality can be useful, it&#8217;s important to understand how XML-RPC works, as it has been linked to several security risks. One of the major concerns with XML-RPC is its vulnerability to brute force attacks and Distributed Denia&#8230; <a alt='xmlrpc.php In WordPress: What It Is And Why Disable It' title='xmlrpc.php In WordPress: What It Is And Why Disable It' href='https:\/\/www.hosted.com\/articles\/disable-xmlrpc-php-in-wordpress\/' class='read-more'>Read More<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6,8,213,123],"tags":[251],"class_list":["post-7249","post","type-post","status-publish","format-standard","hentry","category-tutorials","category-website-development","category-wordpress-coding","category-wordpress-troubleshooting","tag-wordpress-disabling-xmlrpc-php"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/posts\/7249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/comments?post=7249"}],"version-history":[{"count":13,"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/posts\/7249\/revisions"}],"predecessor-version":[{"id":12385,"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/posts\/7249\/revisions\/12385"}],"wp:attachment":[{"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/media?parent=7249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/categories?post=7249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hosted.com\/articles\/wp-json\/wp\/v2\/tags?post=7249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}